1. Field of the Invention
The present invention relates to encrypting technologies and in particular to encrypting technologies which are safe against DFA attacks.
2. Description of the Related Art
In recent times it was found that the DFA attack (DFA=differential fault analysis) is a very effective attack on cryptosystems. In particular, it was stated that in RSA systems in which the Chinese Remainder Theorem (CRT) is used for modular exponentiation, already a single “faulty” output due to a DFA attack may be sufficient to “determine” the secret key for example in a signature calculation. On the other hand, the modular exponentiation in the RSA algorithm is preferably calculated using the CRT, as in particular for large modules a high calculating efficiency may be achieved. The RSA algorithm for message ciphering and message deciphering, respectively, or for signature calculation is described in its application with or without CRT in “Handbook of Applied Cryptography”, A. Menezes et al., CRC Press, 1996. While for an efficient calculation of the modular exponentiation without CRT calculating units are required whose width is at least as large as the modulus, based on the RSA CRT algorithm using a calculating unit with a predetermined number of elementary cells, i.e. a predetermined length, a calculation may be performed in which the modulus (and therefore the key) has almost twice the length compared to the calculating unit. This is especially important for RSA applications, as here the security against so called “brute force attacks” in which subsequently all possibilities are tested increases with an increasing key length.
The basic idea of a DFA attack is to subject the cryptochip to an extreme situation during performing a cryptographical calculation, so that the output of the cryptochip becomes faulty. Such a measure is for example to expose the chip to a high mechanical voltage, a high electromagnetic radiation, a series of light flashes etc. during the calculation, such that for example register contents of the chip become faulty or that gates within the chip do not fulfill their specified function anymore but something different which leads to an output fault.
It was shown that such a faulty output is faulty, still as much information about the secret on which an algorithm is based is contained, however, like for example the encryption key in case of a symmetric cryptosystem or the private key in case of an asymmetric cryptosystem, that an effective DFA attack may be performed.
Defence measures against such DFA attacks in the simplest case consist in the fact that, for example, each cryptographic calculation is performed twice, wherein the result of the first cryptographic calculation is compared to the result of the (identical) second cryptographic calculation. Depending on this comparison a query takes place consisting in the fact that in a (positive) case in which both results are identical, an output is performed, while in the case in which the two results are different, an output is prevented or at least an alarm message is provided, respectively. The core of this defence measure is therefore, in the case in which the assumption about a fault is present, to suppress any outputs, so that an attacker will not obtain a chip output when he has performed a DFA attack, and therefore may not draw any conclusion to the secret that the algorithm is based on.
The above-mentioned defence measure against DFA attacks is problematic in so far that it assumes that the chip does not make the same mistake in the double calculation. Such an attack would not be recognized.
Alternative measures are to provide the cryptochip with voltage sensors, radiation sensors, temperature sensors etc. in order to be able to detect possible exterior attacks on the chip directly in order to then be able to suppress an output when an attack is detected.
Due to the variety of attack scenarios and the many sensors connected to the same, such a defence measure may often not or only partially be performed.
Still further defence measures are to compare intermediate results within a (longer) cryptoalgorithm to each other or observe the same, respectively. Often dependencies exist within an algorithm which require a number of intermediate results already before the output which have to be in a certain connection to each other independent of the data to be encrypted or the key, respectively. If it is determined that the intermediate results, which actually should be in a certain connection to each other in a correct algorithm run, are not in this connection it may be concluded that an attack is being performed. In this case again an IF branch, i.e. a conditional jump, is performed in so far that when the expected result of the query occurs an output is performed, while when a result deviating from the expectations occurs the output is suppressed or error messages, interrupts etc. are performed, respectively, in order to, for example, indicate a current (assumed) DFA attack to the operating system.
DFA attacks on cryptosystems, like for example RSA, symmetrical systems like DES, AES and others or elliptical curve cryptosystems are thus blocked in so far that a correctness examination of some kind is performed and that in case of a fault the output of a false ciphered message or a false signature, e.g. a smartcard, respectively, is suppressed. Problematic about this defence measure is, however, the IF branch. Should an attacker be able to interfere in this final error examination, i.e. the conditional jump, then the output of a faulty ciphered message or a faulty “signature” is effected in order to thus successfully complete a DFA attack.